Chubb

100 Leadenhall Street London, EC3A 3BP
+44 (0)20 7173 7000
http://new.chubb.com/
  • About Chubb

    ACE has acquired Chubb, creating a global insurance leader operating under the renowned Chubb name. Chubb is the world’s largest publicly traded property and casualty insurer, with operations in 54 countries, exceptional financial strength, and a broad range of personal and commercial insurance products.

    At Chubb, we’re committed to providing the very best insurance coverage and service to individuals and families, and businesses of all sizes. While we may look different, rest assured that all current ACE and Chubb policies remain in place.

Chubb considers the risk implications of Biometric Security

Chubb-considers-the-risk-implications-of-Biometric-Security

Biometric security offers new convenience for users, but what risks are companies taking when they roll out this technology? Paul Rubens finds out

Imagine a world where you can walk up to a cash machine and withdraw money without using a card or entering a PIN. Or a world where you can order groceries online without even entering a username and password. That is the promise of biometric authentication. In contrast to password verification, which relies on you providing something you know, biometric authentication relies on something you are: a fingerprint, a sample of your voice or, in the case of facial recognition, a clear view of your face.

The benefits of biometric authentication are obvious – you can forget your password or lose your card, but you cannot forget or mislay your fingerprint, your voice, your face, or any other physical feature. Convenience is also a factor, as looking briefly into a camera, for example, is much easier than typing in a long password.

For these reasons, biometric products are increasingly popular: research firm MarketsandMarkets forecasts that the global facial recognition market alone will grow from around US$3.3 billion (€3.1 billion) in 2016 to US$6.8 billion (€6.5 billion) by 2021. Biometric technology is likely to be deployed in almost every sector of the economy, from facial recognition in hospitals, to fingerprint scanning on construction sites, to voice recognition on telephone banking services.

Determined hackers

But biometric security is not impregnable. Many biometric readers, especially more affordable ones, such as those found on smartphones, digitise some of the biometric information. This data is put through a cryptographic process called ‘hashing’. The biometric data captured is equivalent to a medium-length password, which means that a determined hacker could get around the safeguard in many cases, according to Karsten Nohl, a member of German security collective Security Research Labs.

“A complex password is virtually uncrackable, and a fingerprint can’t be better than that,” he says. “It may be better than a simple password, but not better than a strong one.” And hacking some voice recognition systems is trivial: “You can pretty much make any voice sound like any other.” Karsten has also demonstrated that an iPhone fingerprint reader can be fooled using an imitation finger sprayed with graphite to simulate the properties of skin.

However, there are a number of ways to enhance the security of biometric authentication systems. One technique is to combine several different types of biometrics and other information, such as the location of the user and the time of day, at the same time to build a complex profile of that person. This creates a digital portrait that can be used to recognise them, and which is harder to forge.

Assuming that the biometric system is well designed and cannot easily be fooled by someone with an imitation finger or photograph, the biggest risk is that a hacker somehow gets hold of the biometric data stored by a company – the equivalent to someone making off with a list of passwords.

The oft-cited problem with biometric data is that while customers can change their passwords, they cannot change their fingerprints, their voice or their face. In theory that is not a problem because a company can ‘salt’ digitised biometric information by combining it with a random piece of data before hashing it. That way, if the information is compromised, new biometric data can be generated by re-enrolling users and combining the newly captured biometric data with a different salt, which is the biometric equivalent of changing every user’s password.

Yet many companies do not carry out hashing, says Karsten. When it comes to fingerprints, some actually store the fingerprint information in a form that is close to the original, with no hashing – perhaps so that users can log on using different fingerprint readers. “Some systems store the exact image that the reader captures when it reads a finger,” he says. “So all the information you need (as a hacker) is right there.”

New data, new risks

This has important implications if customers’ biometric data is stolen, according to Matthew Clark, director of global markets at insurance broker La Playa. “Biometric data is a measurement of physical traits, so it could be seen as something akin to medical records data,” he points out. “That means there are serious data-related exposures: if you allow a data breach through negligence, that could land you in hot water with regulators,” he says. “Even if the breach is due to third-party negligence you could face the costs of a regulatory investigation, notifying customers, and many others.”

When it comes to regulations, Matthew stresses that anything relevant to personally identifiable information is likely to apply. Biometric technology is also likely to fall directly within the scope of new regulations. “Regulators are evolving the law in this area, and people drafting new laws are aiming to make them as futureproof as possible,” says Matthew. “So, for example, biometric technology will fall within the scope of the EU’s General Data Protection Regulation.” This comes into force in 2018, replacing the 1995 Data Protection Directive.

The impact of this regulation could be significant, warns Karen Strong, technology manager for UK and Ireland at Chubb. “The new EU data regulations will introduce penalties (as well as new procedures and appointments) for an insured where they are in breach of security with regards to third-party data. The regulations will impose strict controls over personal data and the fines for not adhering to these are significant,” she says.

Fines and penalties are only covered by insurers where they are legally insurable and the insured is legally liable. “In the UK, though, Photography: Getty Get in touch If you would like to discuss any of the issues raised in this article, please contact Karen Strong at kstrong@chubb.com €3.1bn The value of the facial recognition market in 2016 €6.5bn The projected value of the facial recognition market in 2021 legal fines are generally not insurable, although cyber insurance forms will provide cover for regulatory fines (other than those uninsurable, such as criminal fines) following a data breach,” says Karen.

More generally, she advises that if biometric data is held in a form that can be defined as personally identifiable information, it gives rise to privacy risk. “With Biometric data, breach of privacy is probably the biggest risk for a company hosting this data, along with the subsequent first-party consequential losses associated with a breach,” explains Karen. Insurers take this into consideration when assessing risk. “Points we would discuss with an insured, bearing in mind all of our clients are providers of technology, could include what steps need to be taken to ensure that the personal data they host is not used for any other purpose than that agreed to by the individual,” she says. “Therefore, we would consider how they keep the data safe; is it encrypted, separated and stored in multiple places; what is their systems security like; and are they ISO 27001 accredited or PCI compliant?”

Understanding the supply chain is also important for providers of technology and insurers alike. “We would work with a client to assess what risk any of their service providers represent: what quality controls do they have in place, both physically and contractually, and what security measures do they have in place to secure the data,” says Karen. Another factor taken into consideration is the risk of underlying technology failing. Karen says: “We would be assessing the quality assurance procedures of the technology provider – are they documented and fully effective, how has the software been tested prior to launch?”

There are also risks beyond the more obvious crime and security breaches. For example, Karen asks: “What would the impact be if an age verification system failed to work properly? If alcohol was sold to an underage person because a biometric identification system was flawed, what would happen if they then injured themselves or caused injury to others?” These would be third-party insurance considerations, but it is also important to consider the potentially significant first-party costs associated with ‘reworking’ the biometric data following a breach.

Breach of privacy

“As insurers, we have to consider our clients’ exposures from both a first- and third-party perspective. There are immediate first-party expense risks for those responsible for data and the associated notifications in the event of a breach, along with legal liability exposure in respect of pass-through fines and penalties presented as damages awarded for the failure to deliver a secure service and protect the personal details held as biometric data,” says Karen.

While it is still early days for biometric authentication, Karen firmly agrees with the MarketsandMarkets research that predicts its influence will increase rapidly. “My personal view is that without a doubt this technology will grow in significance in our every day lives, and subsequently the insurance market needs to be prepared to respond, from both a risk assessment and cover perspective,” she concludes.

Top 3 tips for risk managers

  • Biometric data should be altered (‘salted’) and run through a cryptographic process (‘hashed’) before it is stored. If this is not done correctly, data is likely to fall into the category of personally identifiable information, and a security breach could have serious privacy implications.
  • This technology will fall within the scope of the EU’s new General Data Protection Regulation, which comes into force in 2018.
  • Security breaches are always expensive, but if users of biometric authentication systems have to re-enrol themselves (for example by supplying fingerprint information) then this can be more expensive and time consuming than asking users to change their password.

Latest video

Chubb Biogas and Solar package (video)

Watch Helen Troman, Head of Cleantech for Chubb in Europe, Eurasia, Africa and Latin America and Glenn O’Halloran, Chubb, Environmental Risk... click here for more